On 5 Feb 2013 03:26, "Peter Saint-Andre" <[email protected]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 2/3/13 8:57 AM, Dave Cridland wrote: > > > > On Feb 3, 2013 3:09 PM, "Salvatore Loreto" > > <[email protected] > > <mailto:[email protected]>> wrote: > >> > >> On 2/3/13 5:03 PM, Dave Cridland wrote: > >>> > >>> > >>> On Feb 3, 2013 3:00 PM, "Salvatore Loreto" > > <[email protected] > > <mailto:[email protected]>> wrote: > >>>> maybe it is not explicitly stated in the RFC, but this one of > >>>> the > > reason why > >>>> you have the PING/PONG frame control in WebSocket > >>> > >>> Yes, that might reduce the likelihood of sessions dropping, but > >>> 198 > > allows a session to survive a drop. > >> > >> sure 198 does it, > >> > >> we also discussed in HyBi the possibility for WebSocket to > >> survive to > > a drop, > >> but If I remember correctly people raised a lot of browser > >> security > > concerns at time > >> > > > > Yes, because having authentication at the WebSocket layer was ruled > > out. > > > > Because XMPP has auth, we get to have secure resumption. > > Wow, it sure is handy to have stable identifiers and strong > authentication, eh? >
Yes, it turns out to be useful, much to everyone's surprise. Though transient identifiers, such as resources or TLS sessions are just as good here, as long as they're able to be authenticated. > In any case, we wouldn't do this at the WebSocket layer, it would > happen at the level of the xmpp subprotocol. > Right. XEP-0198 over XMPP over WebSocket. Dave.
